New Exploit Evades All Antivirus Products For Almost A Day

An automated attack toolkit that surfaced this month is believed to be behind a new wave of ransomware attacks, according to a security researcher at Malwarebytes who said it managed to avoid detection by major antivirus vendors for nearly a full day.

The exploit toolkit, called Neutrino, uses two Java vulnerabilities in its attack and drops malware on the victim's machine, said Jerome Segura, senior threat researcher at Malwarebytes, in an analysis of the attack. To evade antivirus, the author of the malware renamed the encrypted malware package, making it look like Skype. Segura said the initial Trojan contacts a command and control server, which downloads a ransomware interface onto the victim's machine.

When the victim attempts to view a website, a local Web page displays a phony FBI warning. The message, which is one widely seen in other ransomware attacks, warns the user that the computer was locked due to an infection and requests payment to unlock the device. Segura said the malware creates overlapping windows preventing the user from accessing much of the system.

"Some of these threads limit the user's interaction with the operating system by preventing access to the desktop and killing any launched task manager processes," Segura wrote.

The Neutrino toolkit, believed to be used in the ransomware campaign, is being rented in hacking forums for $40 a day or $450 a month, according to Trend Micro. The kit encrypts stolen data that is removed from systems to avoid detection and has traffic filtering and antivirus monitoring to further shield itself, the firm said.

The latest ransomware detected by Malwarebytes is another in a growing number of ransomware variants being peddled by financially motivated cybercriminals. Symantec issued a report in November warning that it has identified 16 different families of malware using the ransom attack technique.

The highest rates of infection have been in the U.S. and Europe, Symantec said. The attacks are profitable and cybercriminals are building business networks to spread the malware as a result.

"There are other signs that ransomware is becoming increasingly professional," Symantec said in its report. "Considerable investment is made into their infrastructure, with the attackers moving exploit pack websites to new addresses regularly."

Symantec's analysis of a single ransomware attack showed more than 68,000 infected systems in a month in 2012, resulting in an estimated $394,000 haul for the cybercriminals. The attackers are exploiting patched Java vulnerabilities, Adobe Flash, Windows and browser vulnerabilities, the firm said, urging users to ensure their systems are fully patched.

The firm said it anticipates cybercriminals will develop more sophisticated means to evade detection and prevent removal.